Have you verified if FreeS/WAN's private RSA key loaded in /etc/ipsec.secrets
matches the certificate contained in /etc/x509cert.der?
openssl rsa -in freeswanKey.pem -noout -text
and
openssl x509 -inform der -in /etc/x509cert.der -noout -text
should list the same modulus.
Andreas
"Seide, S" wrote:
>
> Hi,
>
> I'm trying to connect a Windows 2000 SP2 client to a Freeswan gateway
>
> The Linux Side is SuSE Linux 7.1 + Freeswan 1.96/X.509 Patch 0.99.
> For the Windows Client I used the IPSec-Tool to create the rules an to
> import the certificates. Verifing the certificates with the IPSec-Snapin
> I found the following ones (sorry, do not know the english names):
> - my own cert with private key under
> "lokaler Computer -> Eigene Zertifikate -> Zertifikate"
> - Root certificate
> "lokaler Computer -> Vertrauenswuerdige Stammzertifizierungsstellen -> Zertifikate"
> - IPSec gateway certificate
> "lokaler Computer -> Zwischenzertifizierungsstellen -> Zertifikate"
> looking at their properties, all certificates seems to be valid
>
> Now, tying to ping a host behind the gateway, windows starts establishing a SA but
> fails with error messages in oakley.log. On the Linux side nothing went wrong -
> the logfile shows that windows is sending an AUTHENTICATION_FAILED
>
> Using another windows client (98/NT) with PGPnet and the same certificates or Win2K
> with preshared secrets everything works fine.
>
> TIA,
> Stefan Seide
>
> x.x.x.x - Win2k
> y.y.y.y - IPSec gateway
> z.z.z.z - host behind gateway
>
> oakley.log
> ==========
...
> 3-27: 12:37:43:104 processing payload ID
> 3-27: 12:37:43:104 Process Id
> 3-27: 12:37:43:104 processing payload CERT
> 3-27: 12:37:43:104 Processing Cert
> 3-27: 12:37:43:104 ProcessingCert
> 3-27: 12:37:43:104 processing payload SIG
> 3-27: 12:37:43:104 Process SIG
> 3-27: 12:37:43:104 Verifying CertStore
> 3-27: 12:37:43:104 Cert Trustes. 0 0
> 3-27: 12:37:43:104 Matched Name in cert host.domain.tld
> 3-27: 12:37:43:104 Cert lifetime in seconds low 43117638, high 0
> 3-27: 12:37:43:104 Responder ID 0200000067656f726769612e6265726b
> 3-27: 12:37:43:104 6f6d2e6465
> 3-27: 12:37:43:104 Sig to Verify d235ca7d758c6632b094a08d4670a4c7
> 3-27: 12:37:43:104 f6aec722c3098e8408e037fb49b38230
> 3-27: 12:37:43:104 ecbc3da42df2e4956c3f7ddb3ab933a6
> 3-27: 12:37:43:104 9cc3b9568d2883238a224742efde80cf
> 3-27: 12:37:43:104 dfd1e4f633babb51eb2ed2db4d4ed5a5
> 3-27: 12:37:43:104 0cc0a6bfcf1bdffc95dcd5d2a810c25f
> 3-27: 12:37:43:104 d8dd26658106ff698fae01d81e5b56f0
> 3-27: 12:37:43:104 63e1eef54abbf818fa9d5d24bda26913
> 3-27: 12:37:43:104
> 3-27: 12:37:43:104 Error 80090006 during CryptVerifySignature!
>
> 3-27: 12:37:43:104 Zertifikatsbasierte Identität.
> Antragsteller DE, Ort, Name, Name2, IPSec Gateway, root_at_host.domain.tld
> Ausstellende Zertifizierungsstelle DE, Ort, Name, Name2, OU, ON, ca_at_host.domain.td
> Stammzertifizierungsstelle DE, Ort, Name, Name2, OU, ON, ca_at_host.domain.td
> Peer-IP-Adresse: y.y.y.y
...
>
> ----/.sig/------------------------------------------------------
> Stefan Seide
> Sprachübertagungssysteme, EA15.x T-Systems Nova GmbH, Berkom
> e-mail: stefan.seide_at_t-systems.com Goslarer Ufer 35
> phone: +49 30 3497 2359 D-10589 Berlin
> fax: +49 30 3497 2967 Germany
> ---------------------------------------------------/.sig/-------
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST